Security is a complicated matter. This is especially true with Web services. Enunciate's role in Web service security is to provide for the ability to plug in an existing security framework and then get out of the way.

Enunciate used to provide configuration elements for applying security, but it soon became apparent that a pluggable security interface was much more powerful and flexible.

This document will show how to apply security to your Web service endpoints using Spring Security. This document is not intended to be a reference for Spring Security, only to demonstrate how to apply Spring Security to your Web services using Enunciate.

Step 1: Configure the Servlet Filter

Spring Security basically works by passing the HTTP request through a servlet filter. Once you go through the Spring Security documentation you'll understand how to create a minimal security configuration like this one:

This configures a security filter named 'securityFilter' that will secure all requests with HTTP Basic Auth. There are two users configured, 'jimi' and 'bob'.

Put this in a file called spring-security.xml and put it at the root of your classpath.

Step 2: Configure Enunciate

From here, it's just a matter of configuring Enunciate to apply your security filter. This is done in the enunciate configuration file:

What we've done here is made sure that spring notices our security configuration (by 'importing' spring-security.xml) and then told Enunciate to apply the servlet filter to all of our web service endpoints (using a global servlet filter).

The org.springframework.web.filter.DelegatingFilterProxy is a spring filter that will delegate logic to a bean named 'securityFilter' (the name of the filter)